Results 1 to 16 of 16

Thread: Help, virus has hijacked my browser.

  1. #1
    Subscriber Click here to find out how to Subscribe
    Join Date
    Feb 2007
    Location
    On the lost highway, Scotland.
    Posts
    417

    Help, virus has hijacked my browser.

    Since last night I have had a problem with a hijacker type trojan that is redirecting links from google search pages. I suspect the culprit may be RTKT_STITCH.D but I am unable to do a search for a sollution. My antivirus website is also being blocked (Trend Micro) so I am unable to contact the support techies.

    My antivirus software is locking up at the cleaning stage.

    I have tryed to do a system restore but this is also blocked.

    Any help in erradicating this menace gratefully recieved.

    Hank

  2. #2
    worthydolt
    Guest
    Hello Hank,

    You'll need to give us a bit more to go on.

    What do you mean you're being redirected from Google search pages?
    Sounds like you can reach Google OK. You type some search term. What happens when you hit 'Google Search'?
    Do you get a bunch of results back? If not what page is loaded?
    Or do you get search results back and when you click on one you're taken to an unexpected page?
    What makes you think you have RTKT_STITCH.D?
    What's the operating system? Windows XP?
    There is a file called lmhosts that usually lives in
    C:\WINDOWS\system32\drivers\etc
    or
    C:\WINNT\system32\drivers\etc

    Does that have any lines in it which don't start with a #

    And what's stopping you doing a system restore? What message are you seeing?

    Cheers

  3. #3
    Subscriber Click here to find out how to Subscribe
    Join Date
    Feb 2007
    Location
    On the lost highway, Scotland.
    Posts
    417
    I am running on XP


    When I click a link on the google search results a new tab opens and takes me to a totally unrelated website.

    When I tried to roll back the system to a recent checkpoint I get as far as "press next to restore", when Ipress the button nothing happens. No error messages.



    Here is a copy of the virus scan log.

    "Virus Scan Logs" "Sep 15, 2008" ""
    "Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
    "08:00" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
    "08:00" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Fail" ""
    "09:47" "Manual Scan" "File" "TROJ_FAKEAVAL.AE" "C:\WINDOWS\system32\tdsslog.dll" "Quarantined Success" ""
    "09:47" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
    "09:47" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Success" ""
    "11:12" "Manual Scan" "File" "TROJ_FAKEAVAL.AE" "C:\WINDOWS\system32\tdsslog.dll" "Quarantined Success" ""
    "11:12" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
    "11:12" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Success" ""


    Hope this gives a better picture of my problems

    Thanks for helping.

    Hank

  4. #4
    Senior Member
    Join Date
    Sep 2005
    Location
    Trapped
    Posts
    7,443
    Hank if that was my machine I would burn all my Docs., Photos and anything else I wanted to save onto disc.
    Then I would Format the drive and re-install XP from scratch

  5. #5
    Subscriber Click here to find out how to Subscribe
    Join Date
    Sep 2002
    Location
    Warwickshire
    Posts
    2,914
    Yup - had exactly the same problem with the same virus t'other day. The latest update from McAffee sorted mine - is your virus definition file up-to-date?

    If all else fails, go to the various files identified by your scanner and delete them; they're in c:\windows\system32 and c:\windows\system32\drivers

    To get Google to work, you have to type the link address from the search results manually into the address bar.

    HTH
    As happy as can be!
    Grumpy old twat. And getting grumpier by the minute.

  6. #6
    worthydolt
    Guest
    These files are malware but they don't look like they're piggy-backed on Windows system DLLs. So you could just delete them. But your virus scanner has already done that. That's why they're marked as quarantined.

    It sounds like there's some other stuff going on too. I guess you're using Internet Explorer. Try downloading and installing Firefox (http://www.mozilla.com/en-US/firefox/) and see whether you still get redirected.
    When you get redirected is it always to the same page? Is it one you'd rather the missus didn't know about? :

    Don't forget what I said about LMHOSTS. This file allows you to define redirects. Have a quick look at it. If there's anything you don't understand, post its contents here (only the lines that don't start #).

    There's a decent bit of information here:

    http://www.microsoft.com/communities...r=US&sloc=&p=1

    about cleaning malware and rootkits. It might help you.

    You might want to have a look here:

    http://www.theregister.co.uk/2008/08...ack/print.html

    to get wise as to how not to get infected again.

    HTH

  7. #7
    Subscriber Click here to find out how to Subscribe
    Join Date
    Feb 2007
    Location
    On the lost highway, Scotland.
    Posts
    417
    Thanks for all the help.

    I am going to reinstall windows and start again, so I may be a bit quiet for a while.

    Am all set with a pile of dvd's ready to make backups of pics and essential docs,will keep you updated on my proggress.

    Thanks again

    Hank

  8. #8
    Senior Member
    Join Date
    Apr 2008
    Location
    choccoland AKA switzerland
    Posts
    2,769
    maybe a bit late but maybe not... if you are going to do a reinstall and have some extra time it should be noted that if you format the drive before hand all the info is still there, a format does not remove the data.

    I always think its good practice to erase the drive and then do a clean install - look for a programme called kill disc - it will write zero's to the drive so it is in effect a "clean new" drive when u install xp.

  9. #9
    Deeply Shallow Click here to find out how to Subscribe
    Join Date
    May 2006
    Location
    On the Border
    Posts
    1,892

    HOSTS file

    If you want to play with your HOSTS file and make it work for you, (not lmhosts as the hosts file takes precedence), look here:

    http://www.mvps.org/winhelp2002/hosts.htm

    Also includes instrctions for Vista users
    Fairly simple to understand.

    Funky Toad also has a neat little utility for the HOSTS file:
    http://www.funkytoad.com/index.php?o...b87653059a245e

    John
    Golden Sprout

  10. #10
    Tarmac Teaser
    Guest
    Not sure if this is any help but you never know.

    Looking at your virus scan there's a file that wasn't quarentined called TDSSSERF.DLL

    Here's a description.

    TDSSSERF.DLL description and detail of TDSSSERF.DLL:

    The filename TDSSSERF.DLL was last seen on 08.27.2008, and it is considered unsafe.
    Threat name Win32.X Filename [System32Root]\tdssserf.dll Filesize Unknown Last seen 08.27.2008 Status Known to RemoveIT Pro as unsafe.
    This file can perform following behavior.
    - Usualy created by unsafe process.
    - Registered as a Dynamic Link Library File.
    - Usualy have random filename and refers to many versions of a dynamic link library.
    - Can be injected/attached to the legitimate Windows process such as explorer.exe or other.

    Here's the removal process:

    TDSSSERF.DLL remove instruction

    1. Temporarily Disable System Restore, Reboot computer in SafeMode;

    2. Locate TDSSSERF.DLL virus files and uninstall TDSSSERF.DLL files program. Follow the screen step-by-step screen instructions to complete uninstallation of TDSSSERF.DLL.

    3. Delete/Modify any values added to the registry related with TDSSSERF.DLL,Exit registry editor and restart the computer;

    4.Clean/delete all TDSSSERF.DLLinfected file(s):TDSSSERF.DLL and related,or rename TDSSSERF.DLL virus files;

    5.Please delete all your IE temp files with TDSSSERF.DLL manually,run a whole scan with antivirus program ;

  11. #11
    Subscriber Click here to find out how to Subscribe
    Join Date
    Apr 2005
    Location
    Fareham, Hampshire
    Posts
    8,991
    I recently had similar problems that trend micro couldn't fix with my web browser. I downloaded a malware removal tool from 'malwarebytes' and ran it and it found several trojans and removed them. Not had a problem since. It worked a treat and was free, though I believe you have to buy it if you want to keep using it.

    http://www.malwarebytes.org/

    Worth a try ??
    ADAM


    2008 R1200GSA

  12. #12
    Senior Member
    Join Date
    Sep 2005
    Location
    Trapped
    Posts
    7,443
    If you want to keep your browser safe use Firefox and install the 'Add on' called 'NO SCRIPT' it takes a little while to get used to it's foibles but it protects your browser and your privacy by stopping all active X and java svript from loading when you visit a site for the first time.
    At first a web page may appear a bit bare or the site you are visiting will warn you that ' java' must be enabled to view or use the site, using the no script menu you can then authorise the 'individual elements of the website.

    You will be surprised at just how much crap is being put on your machine without your knowledge.

    Dick

  13. #13
    Subscriber Click here to find out how to Subscribe
    Join Date
    Feb 2007
    Location
    On the lost highway, Scotland.
    Posts
    417
    My antivirus software claims to have quarantined the trojans but they are still active. I have run a system recovery fom my hard drive, but that failed to get rid of the problem.
    I am running out of time on this due to working long hours and am condidering replacing the hard drive and installing a fresh copy of windows.
    Would this eradicate my problem or could it be still show up on the new drive?

    Thanks again.

    Hank.

  14. #14
    Senior Member
    Join Date
    Sep 2005
    Location
    Trapped
    Posts
    7,443
    No need to replace the drive, if you have a copy of XP boot up from it , follow the installation procedure until you are presented with the choice of which partition you wish to install it on, you should then also have a choice to 'DELETE' the existing partition(s), delete the partition and reboot and then carry on the installation from the beginning again

  15. #15
    Subscriber Click here to find out how to Subscribe
    Join Date
    Feb 2007
    Location
    On the lost highway, Scotland.
    Posts
    417
    Unfortunately I dont have a copy of XP. I bought my system from PC World and the disc I thought was the Win XP disc turns out to be a copy of MS Works, which I have never installed as I have a licenced copy of MS Office. The cheapskates did however put a restore version on a partition of the hard drive. I performed a non destructive reinstall from this as advised by the destruction book. I have some time off tomorrow
    so I might rescue some of the programmes that Iuse from the original install and then go for full destruction and rebuild.

    I have tried to locate the rogue files in order to delete them but they are hiding some where deep in the bilges.

    Thanks all.

    Hank ( The computer destroyer )

  16. #16
    Senior Member
    Join Date
    Sep 2005
    Location
    Trapped
    Posts
    7,443

    Click here to find out how to remove these ads

    Hank if you were subscribed people could pm you and offer further assistance, 12 quid is a lot cheaper than a copy of XP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Anyone attending a Ride Out or Event organised through the UKGSer Forums does so at their own risk.
UKGSer.com or anyone organising an event posted here will not be held responsible in any way for damage or personal injury sustained while attending any such events.

Members attending any such event do so at their own risk.

The text, images, graphics, sound files, animation files, video files, and their arrangement on this Website are all subject to copyright and other intellectual property protection. These objects may not be copied for commercial use or distribution, nor may these objects be modified or reposted to other sites without prior written permission.

Disclaimer: Use or depiction of the BMW logo or trademark throughout this web site is for illustrative and editorial purposes only, and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The UKGSer Forums may include adult content for which it cannot be held responsible. Your use of this website constitutes acceptance of the UKGSER network privacy policy

"Its about being a grown up hooligan - and if that means a dark visor, remus open pipe and a bit of speeding out of town then all well and good"